from the could-get-interesting dept

A group of seven smaller international ISPs, many of which tend to be used by activists, are now suing GCHQ via the Investigatory Powers Tribunal, for hacking into their networks. The focus of the lawsuit is on the GCHQ's now infamous hacking of Belgian telco Belgacom, via a quantum insert, to get access to a variety of communications. While those revelations don't name any of the service providers filing suit, they note that "the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted." The seven service providers are:

There may be a big question as to whether or not any of those organizations really have standing if there's no evidence they were actually targeted by GCHQ, but I don't know enough about how the Investigatory Powers Tribunal works when it comes to the question of who has standing to judge at the outset. Either way, the service providers note that GCHQ's activities violate the European convention on human rights:

First, in the course of such an attack, network assets and computers belonging
to the internet and communications service provider are altered without the
provider’s consent. That is in itself unlawful under the Computer Misuse Act
1990 in the absence of some supervening authorisation. Depending on the
nature and extent of the alterations, the attacks may also cause damage
amounting to an unlawful interference with the internet and communications
service provider’s property contrary to Article 1 of the First Protocol (“A1P1”)
to the European Convention on Human Rights (“ECHR”).

Second, the surveillance of the internet and communications service
provider’s employees is an obvious interference with the rights of those
employees under Articles 8 and 10 ECHR, and by extension the provider’s
own Article 10 rights. As Der Spiegel reported in relation to a separate attack
on Mach, a data clearing company, a computer expert working for the
company was heavily targeted: “A complex graph of his digital life depicts the
man’s name in red crosshairs and lists his work computers and those he uses
privately (‘suspected tablet PC’). His Skype username is listed, as are his Gmail
account and his profile on a social networking site. […] In short, GCHQ knew
everything about the man’s digital life.” It is not simply a question of GCHQ
confining its interest to employees’ professional lives. They are interested in
knowing everything about the staff and administrators of computer
networks, so as to be better able to exploit the networks they are charged to
protect.

Third, the exploitation of network infrastructure enables GCHQ to conduct
mass and intrusive surveillance on the customers and users of the internet
and communications service providers’ services in contravention of Articles 8
and 10 ECHR. Network exploitation of internet infrastructure enables GCHQ
to undertake a range of highly invasive mass surveillance activities, including
the application of packet capture (mass scanning of internet
communications); the weakening of encryption capabilities; the observation
and redirection of internet browsing activities; the censoring or modification
of communications en route; and the creation of avenues for targeted
infection of users’ devices. Not only does each of these actions involve serious
interferences with Article 8 ECHR rights, by creating vulnerabilities and
mistrust in internet infrastructure they also chill free expression in
contravention of Article 10 ECHR.

Fourth, the use by GCHQ of internet and communications service providers’
infrastructure to spy on the providers’ users on such an enormous scale
strikes at the heart of the relationship between those users and the provider
itself. The fact that the internet and communications service providers are
essentially deputised by GCHQ to engage in heavily intrusive surveillance of
their own customers threatens to damage or destroy the goodwill in that
relationship, itself an interference with the provider’s rights under A1P1.

Certainly a case worth watching if it can get past the standing issue.